Protecting Your Backups From Ransomware Attacks

As recent data has shown, ransomware threat actors are increasingly attacking backup repositories to prevent restores after attacks commence. In fact, not only is this action an essential part of their modus operandi, but they are also quite successful at it! Statistics indicate they succeed, partially or completely, in impacting backup repositories 68% of the time!

Given our thesis, that the overwhelming majority of your data outages are likely to be cyber-threat related moving forwards, protecting your backups from attacks is going to be critical. Below are our recommendation on the must-have capabilities of any solution that claims to effectively protect you from ransomware. The recommendations apply regardless of whether you are evaluating a new modern data protection solution or looking to re-configure your existing solution.

We split the capabilities into three logical groups:

• Backup storage properties
• Infrastructure setup
• Backup management

Backup Storage Properties

Offline Storage: One of the best ways to safeguard backups is to keep them on truly offline storage (e.g., tape libraries). However, this does require the storage to be truly offline. If you reconnect all your backup storage at frequent intervals to consume new backups, that just delays attacks and does not prevent them. Such systems are also more complex and expensive to operate. This is why we believe that the right tradeoff between security, usability, and cost is our next option: Immutable Backups.

Immutable Storage: Why should your backup storage be immutable? Because once the backups have been created, it should not be possible to modify or delete them for some amount of time. For cost efficiency reasons, the time period doesn’t need to map to your backup retention schedule. More practically, assuming you are taking at least daily backups, consider immutability for at least the expected period between a ransomware attack starts and detection or ransomware demand contact.

We highly recommend using cloud object storage systems that provide object lock and object retention (AWS S3 is the gold standard here). While correctly using object locks and retention is complicated, the backup vendor should be responsible for making that complexity invisible to the end user.  

On-premises appliances from backup and object storage vendors often claim to provide immutable backups, but these appliances are on the same infrastructure as the rest of your systems, making other attacks against them possible. If the appliance is virtual, an attacker can corrupt the underlying storage. If the appliance is physical, attackers might discover ways to get administrator access to them including support credentials compromises or CVE exploits.  

Infrastructure Setup

Isolated Infrastructure: Even if it is not offline or air gapped, your backup infrastructure and related credentials and secret management should be completely isolated from the rest of your IT systems. While this might sound complicated to implement on-premises, picking a cloud Backup-as-a-Service vendor makes this straightforward. Even without all the advantages of reducing day-to-day backup administration overhead, the security advantages of SaaS backup platforms make them the favored choice for modern data protection.

Access Control: Finally, a backup platform should allow you to implement strict and scoped access controls. Authorized personnel should have a level of access that matches the business need (e.g., not all users should have access to all backups). Login will be ideally SSO based or at the very least vendors should enforce the use of strong passwords and two-factor authentication (2FA). The backup platform should also provide support for activity auditing. If evaluating SaaS backup providers, you should insist on current SOC Type 2 certification, but beyond that should pay particular attention to the level of access for support staff. The top vendors will implement strict, scoped, and auditable access controls for their production environments.  

Backup Management

Delayed Backup Deletion: As mentioned above, it doesn’t make sense to make backups immutable forever. After all, you do want to garbage-collect backups outside of your retention policy as they consume storage and impact regulatory compliance. However, a backup system that provides delayed backup deletion is an additional tool for defeating attackers. This feature would allow your IT team to “undelete” backups if they detect an attack against the backup systems. Of course, this would only apply to backups that are deleted by a user and not the automatic deletion that follows from your normal retention policies.  

Artificial Intelligence: While AI is an overused term today, the use of Machine Learning algorithms to identify anomalous behavior can be a very powerful tool in detecting attacks against backup repositories and triggering alerts and remediation. When a system suddenly starts seeing a rapid ramp of manual backup deletions, investigating and throttling this behavior would be the appropriate response. AI can also be a powerful tool to detect if the backup system is being used as a path to exfiltrate data. For example, sudden increases in manual backup downloads instead of restores to the original data source should be automatically detected.

Data Integrity Verification: Given the complexity of our IT environments, it might not always be possible to pick the best vendor for the job (a SaaS provider that uses cloud object storage). However, even in an imperfect world, it is only fair to expect your backup platform to implement strong data integrity features. Encryption with secure key management is table stakes but, more importantly, it should also use cryptographic checksums to ensure that data is never corrupted by “under the hood” access. The complexity of periodically verifying backup integrity over different subsets of the data should be borne by the backup platform. The system should also either directly support automated test restores or provide the API hooks for the IT team to easily and periodically verify that data can be cleanly restored.

Safe Backup Identification: For faster recovery after attacks, the backup platform should also allow IT admins to identify “safe” backups easily and quickly. This includes both data integrity checks but also detection and elimination of malware and ransomware.

Want to Learn More?

As the above points show, a multi-layered defense strategy is essential for protecting your backups. We, at Alcion, care deeply about these topics and, from Day 1, have designed a system from the ground up to protect your data safely and securely. We will continue to publicly share more about everything we do internally in this area.

If you’re a Microsoft 365 admin, check it out for yourself, you can try Alcion for free! The trial runs for 14 days, and no credit card is required.

You might also want to read an article discussing the security-focused point of view on why you should back up Office 365, along with some best practices, which broadens the perspective on some topics covered in this blog post and underscores the criticality of your organization's Microsoft 365 data security.